Remove drop host user creation mode

CHANGELOG.md

@@ -12,6 +12,13 @@ rely on parsing the output from multiple nodes should pass the `--log-dir` flag
 to `tsh ssh`, which will create a directory where the separated output of each node
 will be written.
 
+#### `drop` host user creation mode
+
+The `drop` host user creation mode has been removed in Teleport 15. It is replaced
+by `insecure-drop`, which still creates temporary users but does not create a
+home directory. Users who need home directory creation should either wrap `useradd`/`userdel`
+or use PAM.
+
 ## 14.0.0 (09/20/23)
 
 Teleport 14 brings the following new major features and improvements:

api/proto/teleport/legacy/types/types.proto

@@ -2531,11 +2531,11 @@ enum CreateHostUserMode {
   HOST_USER_MODE_UNSPECIFIED = 0;
   // HOST_USER_MODE_OFF disables host user creation.
   HOST_USER_MODE_OFF = 1;
-  // HOST_USER_MODE_DROP enables host user creation and deletes users at session end.
-  HOST_USER_MODE_DROP = 2;
+  reserved 2; // HOST_USER_MODE_DROP replaced by HOST_USER_MODE_INSECURE_DROP.
+  reserved "HOST_USER_MODE_DROP";
   // HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end.
   HOST_USER_MODE_KEEP = 3;
-  // HOST_USER_MODE_INSECURE enables host user creation without a home directory and deletes
+  // HOST_USER_MODE_INSECURE_DROP enables host user creation without a home directory and deletes
   // users at session end.
   HOST_USER_MODE_INSECURE_DROP = 4;
 }

api/types/role.go

@@ -1815,7 +1815,6 @@ var LabelMatcherKinds = []string{
 
 const (
 	createHostUserModeOffString          = "off"
-	createHostUserModeDropString         = "drop"
 	createHostUserModeKeepString         = "keep"
 	createHostUserModeInsecureDropString = "insecure-drop"
 )
@@ -1826,8 +1825,6 @@ func (h CreateHostUserMode) encode() (string, error) {
 		return "", nil
 	case CreateHostUserMode_HOST_USER_MODE_OFF:
 		return createHostUserModeOffString, nil
-	case CreateHostUserMode_HOST_USER_MODE_DROP:
-		return createHostUserModeDropString, nil
 	case CreateHostUserMode_HOST_USER_MODE_KEEP:
 		return createHostUserModeKeepString, nil
 	case CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP:
@@ -1865,8 +1862,6 @@ func (h *CreateHostUserMode) decode(val any) error {
 		*h = CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED
 	case createHostUserModeOffString:
 		*h = CreateHostUserMode_HOST_USER_MODE_OFF
-	case createHostUserModeDropString:
-		*h = CreateHostUserMode_HOST_USER_MODE_DROP
 	case createHostUserModeKeepString:
 		*h = CreateHostUserMode_HOST_USER_MODE_KEEP
 	case createHostUserModeInsecureDropString:

api/types/role_test.go

@@ -372,7 +372,6 @@ func TestMarshallCreateHostUserModeJSON(t *testing.T) {
 	}{
 		{input: CreateHostUserMode_HOST_USER_MODE_OFF, expected: "off"},
 		{input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: ""},
-		{input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"},
 		{input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"},
 		{input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"},
 	} {
@@ -389,7 +388,6 @@ func TestMarshallCreateHostUserModeYAML(t *testing.T) {
 	}{
 		{input: CreateHostUserMode_HOST_USER_MODE_OFF, expected: "\"off\""},
 		{input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: "\"\""},
-		{input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"},
 		{input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"},
 		{input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"},
 	} {
@@ -406,7 +404,6 @@ func TestUnmarshallCreateHostUserModeJSON(t *testing.T) {
 	}{
 		{expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: "\"off\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, input: "\"\""},
-		{expected: CreateHostUserMode_HOST_USER_MODE_DROP, input: "\"drop\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "\"keep\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: 3},
 		{expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: 1},
@@ -427,7 +424,6 @@ func TestUnmarshallCreateHostUserModeYAML(t *testing.T) {
 		{expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: "\"off\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: "off"},
 		{expected: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, input: "\"\""},
-		{expected: CreateHostUserMode_HOST_USER_MODE_DROP, input: "drop"},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "keep"},
 		{expected: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, input: "insecure-drop"},
 	} {

integration/hostuser_test.go

@@ -203,28 +203,6 @@ func TestRootHostUsers(t *testing.T) {
 	t.Cleanup(func() { require.NoError(t, bk.Close()) })
 	presence := local.NewPresenceService(bk)
 
-	t.Run("test create temporary user and close", func(t *testing.T) {
-		users := srv.NewHostUsers(context.Background(), presence, "host_uuid")
-
-		testGroups := []string{"group1", "group2"}
-		closer, err := users.CreateUser(testuser, &services.HostUsersInfo{Groups: testGroups, Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP})
-		require.NoError(t, err)
-
-		testGroups = append(testGroups, types.TeleportServiceGroup)
-		t.Cleanup(cleanupUsersAndGroups([]string{testuser}, testGroups))
-
-		u, err := user.Lookup(testuser)
-		require.NoError(t, err)
-		requireUserInGroups(t, u, testGroups)
-		require.NotEmpty(t, u.HomeDir)
-		require.DirExists(t, u.HomeDir)
-
-		require.NoError(t, closer.Close())
-		_, err = user.Lookup(testuser)
-		require.Equal(t, err, user.UnknownUserError(testuser))
-		require.NoDirExists(t, u.HomeDir)
-	})
-
 	t.Run("test create temporary user without home dir", func(t *testing.T) {
 		users := srv.NewHostUsers(context.Background(), presence, "host_uuid")
 
@@ -255,7 +233,7 @@ func TestRootHostUsers(t *testing.T) {
 		require.ErrorIs(t, err, user.UnknownGroupIdError(testGID))
 
 		closer, err := users.CreateUser(testuser, &services.HostUsersInfo{
-			Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+			Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP,
 			UID:  testUID,
 			GID:  testGID,
 		})
@@ -273,8 +251,6 @@ func TestRootHostUsers(t *testing.T) {
 		require.Equal(t, u.Uid, testUID)
 		require.Equal(t, u.Gid, testGID)
 
-		require.FileExists(t, filepath.Join("/home", testuser, ".bashrc"))
-
 		require.NoError(t, closer.Close())
 		_, err = user.Lookup(testuser)
 		require.Equal(t, err, user.UnknownUserError(testuser))
@@ -298,7 +274,7 @@ func TestRootHostUsers(t *testing.T) {
 		})
 		closer, err := users.CreateUser(testuser,
 			&services.HostUsersInfo{
-				Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+				Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP,
 			})
 		require.NoError(t, err)
 		err = sudoers.WriteSudoers(testuser, []string{"ALL=(ALL) ALL"})
@@ -327,7 +303,7 @@ func TestRootHostUsers(t *testing.T) {
 
 		deleteableUsers := []string{"teleport-user1", "teleport-user2", "teleport-user3"}
 		for _, user := range deleteableUsers {
-			_, err := users.CreateUser(user, &services.HostUsersInfo{Mode: types.CreateHostUserMode_HOST_USER_MODE_DROP})
+			_, err := users.CreateUser(user, &services.HostUsersInfo{Mode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP})
 			require.NoError(t, err)
 		}
 

integrations/operator/controllers/resources/role_controller_test.go

@@ -90,15 +90,15 @@ allow:
   - ubuntu
   - root
 options:
-  create_host_user_mode: 2
+  create_host_user_mode: 4
 `,
 			shouldFail: false,
 			expectedSpec: &types.RoleSpecV6{
 				Allow: types.RoleConditions{
 					Logins: []string{"ubuntu", "root"},
 				},
 				Options: types.RoleOptions{
-					CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+					CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP,
 				},
 			},
 		},

lib/services/access_checker.go

@@ -883,7 +883,7 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) {
 		if createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED {
 			createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_OFF
 			if createHostUser != nil && createHostUser.Value {
-				createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_DROP
+				createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_KEEP
 			}
 		}
 
@@ -896,8 +896,8 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) {
 		if mode == types.CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED {
 			mode = createHostUserMode
 		}
-		// prefer to use HostUserModeKeep over Drop if mode has already been set.
-		if (mode == types.CreateHostUserMode_HOST_USER_MODE_DROP || mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP) &&
+		// prefer to use HostUserModeKeep over InsecureDrop if mode has already been set.
+		if mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP &&
 			createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_KEEP {
 			mode = types.CreateHostUserMode_HOST_USER_MODE_KEEP
 		}

lib/services/role_test.go

@@ -7375,7 +7375,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) {
 		{
 			test:         "test exact match, one role, can create",
 			canCreate:    true,
-			expectedMode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+			expectedMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP,
 			roles: NewRoleSet(&types.RoleV6{
 				Spec: types.RoleSpecV6{
 					Options: types.RoleOptions{
@@ -7398,7 +7398,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) {
 		{
 			test:         "test two roles, 1 exact match, one can create",
 			canCreate:    false,
-			expectedMode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+			expectedMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP,
 			roles: NewRoleSet(&types.RoleV6{
 				Spec: types.RoleSpecV6{
 					Options: types.RoleOptions{
@@ -7430,7 +7430,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) {
 		{
 			test:         "test three roles, 2 exact match, both can create",
 			canCreate:    true,
-			expectedMode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+			expectedMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP,
 			roles: NewRoleSet(&types.RoleV6{
 				Spec: types.RoleSpecV6{
 					Options: types.RoleOptions{
@@ -7496,9 +7496,9 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) {
 			types.CreateHostUserMode_HOST_USER_MODE_OFF,
 		),
 		createDefaultTCWithMode(
-			"test can create when create host user mode is drop",
+			"test can create when create host user mode is insecure-drop",
 			true,
-			types.CreateHostUserMode_HOST_USER_MODE_DROP,
+			types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP,
 		),
 		createDefaultTCWithMode(
 			"test can create when create host user mode is keep",
@@ -7529,7 +7529,7 @@ func TestHostUsers_CanCreateHostUser(t *testing.T) {
 			}, &types.RoleV6{
 				Spec: types.RoleSpecV6{
 					Options: types.RoleOptions{
-						CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_DROP,
+						CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP,
 					},
 					Allow: types.RoleConditions{
 						NodeLabels: types.Labels{"success": []string{"abc"}},

lib/srv/usermgmt.go

@@ -278,7 +278,7 @@ func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo)
 		}
 		groups = append(groups, group)
 	}
-	if ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_DROP || ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP {
+	if ui.Mode == types.CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP {
 		groups = append(groups, types.TeleportServiceGroup)
 	}
 	var errs []error